Overview
The CVE-2007-5379 vulnerability shows how older Ruby on Rails releases before 1.2.4 allowed remote attackers to determine the existence of arbitrary files and read arbitrary XML via Hash.from_xml, which relies on XmlSimple (XML::Simple) in an unsafe way. This configuration permitted attackers to leverage external entity processing (XXE) to coerce the server into revealing contents of sensitive files. In practice, an attacker could craft XML that, when parsed by Hash.from_xml, triggered file reads on the host such as the Pidgin (Gaim) accounts.xml, exposing credentials or other secrets. This class of vulnerability is categorized under CWE-200: Information Disclosure. The patch released with Rails 1.2.4 addressed unsafe XML handling by removing or hardening these unsafe parsing patterns and advising safer alternatives. This guide explains the real-world impact, how it was exploited in Rails contexts, and how to fix it in modern Ruby on Rails code.
Affected Versions
Rails before 1.2.4 (1.0.x-1.2.3)
Code Fix Example
Ruby on Rails API Security Remediation
Vulnerable:
# app/controllers/sensitive_data_controller.rb
class SensitiveDataController < ApplicationController
def show
xml = params[:xml]
data = Hash.from_xml(xml)
render json: data
end
end
Fixed:
# app/controllers/sensitive_data_controller.rb
require 'nokogiri'
class SensitiveDataController < ApplicationController
def show
xml = params[:xml]
# Do not parse untrusted XML with Hash.from_xml; use a safe XML parser
doc = Nokogiri::XML(xml)
# Whitelist only the fields you actually need
username = doc.at_xpath('//user/username')&.text
value = doc.at_xpath('//user/value')&.text
render json: { username: username, value: value }
end
end